Creating and operating a local CA

After you configure the human resources HTTP Server to use Transport Layer Security (TLS), you must configure a certificate for the server to use to initiate TLS. Based on the objectives for this scenario, you have chosen to create and operate a local Certificate Authority (CA) to issue a certificate to the server.

When you use Digital Certificate Manager (DCM) to create a local CA, you are guided through a process that ensures that you configure everything that you need to enable TLS for your application. This process includes adding a copy of the local CA certificate that was just created into the *SYSTEM store, and assigning the certificate that the local CA issued to your web server application. Add the local CA to the web server application CA trust list if the application is using a CA trust list to more narrowly define the CA certificates that it trusts from the list of enabled CA certificates in the *SYSTEM certificate. Having the local CA in the application's trust list ensures that the application can recognize and authenticate users that present certificates that the local CA issues.

To use Digital Certificate Manager (DCM) to create and operate a local CA and issue a certificate to your human resources server application, complete these steps:

  1. Start DCM. Refer to Starting DCM.
  2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms.
    These forms guide you through the process of creating a local CA and completing other tasks needed to begin using digital certificates for TLS, object signing, and signature verification.
    Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the online help.
  3. Complete the forms for this guided task. In using these forms to perform all the tasks that you need to set up a working local Certificate Authority (CA), you perform the following steps:
    1. Provide identifying information for the local CA.
    2. Install the local CA certificate on your PC or in your browser so that your software can recognize the local CA and validate certificates that the local CA issues.
    3. Choose the policy data for your local CA.
      Note: Be sure to select that the local CA can issue user certificates.
    4. Use the new local CA to issue a server or client certificate that your applications can use for TLS connections.
    5. Select the applications that can use the server or client certificate for TLS connections.
      Note: Be sure to select the application ID for your human resources HTTP Server.
    6. Use the new local CA to issue an object signing certificate that applications can use to digitally sign objects.
      This subtask creates the *OBJECTSIGNING certificate store; this is the certificate store that you use to manage object signing certificates.
      Note: Although this scenario does not use object signing certificates, be sure to complete this step. If you cancel at this point in the task, the task ends and you must perform separate tasks to complete your TLS certificate configuration.
    7. Select the applications that are using a CA trust list and wish to trust the local CA. If an application's CA trust list is empty, all CAs in the *SYSTEM store are trusted by default.
      Note: Do not select the application ID for your human resources HTTP Server, for example, QIBM_HTTP_SERVER_MYCOTEST, unless you plan to use a CA trust list.

When you complete the certificate configuration that your Web server application requires to use TLS, you can configure the Web server to require certificates for user authentication.